Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my regular expression to extract a field from my sample log event?

namritha
Path Finder
‎09-12-2016 12:09 PM

Hi,
I am trying to extract a field from a log event, but need help as my RegEx seems to be wrong.

Input string:

2011-07-11 14:45:59,965 | PERF  | [http-jboss-vm-a1b25.prod.v3-nonpid-brown.cloud.ab.com/12.47.5.87:8223-34] | [com.ab.fap.webser.client.RestServiceClient] | [0b108g34-9529-707c-6e2c-fd510206d1md] | [] | TIME: (0) 2011/07/11 14:45:59:943 to 14:45:59:965 19 ms. https://abcdefapi.ab.com/v4/sof/bcp/{ssf_nuid}

Regular expression used: ^(?:[^:\n]*:){10}\d+\s+\d+\s+\w+\.\s+

The regular expression matches the string up to ms as given below,

alt text

I want to extract anything after ms i.e. the value "https://abcdefapi.ab.com/v4/sof/bcp/{ssf_nuid}" in this case.
Please tell me what is incorrect in the below command or what the correct command is.

Command used:
source="abc.log"|rex field=_raw "^(?:[^:\n]*:){10}\d+\s+\d+\s+\w+\.\s+(?P)\w+" does not extract

NOTE: All field values have been changed to dummy values and do not represent the real configurations.

Preview file
28 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-12-2016 01:31 PM

You're falling into the common trap of trying to match more than is necessary. If you're only interested in the URL, then write a regex for a URL. This works with your sample.

source="abc.log" | rex "(?<url>http[s]:\/\/.*)" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sundareshr
Legend
‎09-12-2016 01:32 PM

If you just want to capture everything after ms till the end, you can use this regex

\d+\s+ms\.\s+(?<url>.*)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-12-2016 01:31 PM

You're falling into the common trap of trying to match more than is necessary. If you're only interested in the URL, then write a regex for a URL. This works with your sample.

source="abc.log" | rex "(?<url>http[s]:\/\/.*)" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-12-2016 01:40 PM

upvote on this, because it matches in less steps and therefore is much faster 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...